• What is a Pentest?
• Why should you perform pentesting?
• What are the benefits of Pentesting?
• How are Pentests performed?
• What are the targets of a pentest?
• Attacker profiles in a pentest
• When to perform a pentest?
• Verification tests
4. • A pentest is a set of authorized cyber attacks, in order to discover and
verify the vulnerabilities of an information system.
• In a typical pentest session, vulnerabilities are carefully exploited.
– Customer will be informed of all steps.
– Tests will be performed against all systems of the customer.
What is a Pentest?
5. • Depicting the current security level of a company
• Identifying the gaps, and security consciousness of both systems and
human resources against possible breaches.
• Pentests find out; How big and what sensitive information will be lost in
case of a cyber attack.
Why to perform a Pen-test?
6. • Independent IT-Security Institute reports around 150,000 malwares
were produced , in 2014.
• AV-TEST Institute reports 390,000 new malwares every day.
• Kaspersky LAB reports that;
– 6,167,233,068 malwares were found in year 2014.
– 1,432,660,467 mobile attacks were discovered in 2014.
– Among the surveyed companies involved in E-Business; half of them have
suffered losses because of cyber attacks.
• Different attack types and methods are discovered each day.
Why to perform a Pen-test
7. • Carbanak: A cyber gang with financial
Have stolen 1 billion US Dollars (using
malware and remotely) in 30 different
• Sony: A no pity cyber attack, causing a
big reputation loss by company.
• HSBC Turkey: November, 2014: 2.7
million card info was stolen
International Cyber Security Incidents-2014
8. • Vulnerabilites of an information system are exposed.
• Facilitates the analysis of genuine risks.
• Helps sustain Business Continuity
• Decreases the possibility of real attacks
• Protects staff, customers and business partners
• Helps to be compliant with
– PCI DSS
• Increases know-how and facilitates analysis for real attacks.
• Preserves company reputation
What are the benefits of a Pen-test?
9. • Determining the Scope
– Web App pentest
– End user and social engineering attacks
– Ddos and performance tests
– Network infrastructure tests
– External and Internal network tests
– Mobile App pentest
– Virtualization system pentest
– Database pentest
How is Pentest performed?
11. • Performing the Test
– Information gathering
– Analysis and plan
– Discovering vulnerabilities
– Gaining access
– Privilege Escalation
– Analysis and Reporting
– Post-Fix Verification
How is Pentest performed?
★ Our Pentest reports cover each and only
relevant (that is potentially causing a risk) risk
★ We never deliver auto-scan results to the
customer, and we employ and encourage our
staff in specific fields of pentesting.
★ We are a team composed of web pentesters,
scada tester, ddos expert, network pentesters,
social engineer and wireless pentester.
12. • Following domains are tested against possibility for information leakage and
• Mistakes/Shortcomings in application development
• Configuration errors
• Security awareness of staff
• System protection level
• Infrastructure security level
• Insecure certificate usage
• Patch level of Applications
• Patch level of Operating Systems
are tested and observed in order to identify the security level of the determined scope.
Target systems in a pentest
13. • External Network test profiles
– Normal user with no insider information
– Unauthorized user with insider information
– Authorized user with insider information
– Admin user with insider information
• Internal network test profiles
– Unauthorized user
– Employee profile
• Unhappy employee profile
• Disgruntled employee profile
– Manager profile
Attacker profiles in a pentest
14. • Critical terms for the industry and the company
• Before and After corporate milestones.
• Hiring/Firing critical personnel
• The weak system
• The strong system
When to perform a pentest
15. • At least once a year
• After system change & new system deployments
• After new system integrations.
How often are Pentests performed?
16. • All findings during the pentest are analyed, verified and reported.
• A detailed explanation of findings, with solution recommendation and
steps to resolve are submitted in the report.
• Findings are categorized. Findings by category, findings by severity are
statistically graphed in the reports.
18. Security re-evaluation of the company
• An executive summary report is delivered to the executives, which
shows the general security evaluation of the company.
• A project closure meeting will be organized to discuss the report.
19. • After a detailed explanation of findings and delivery of final report, the
company is expected to close the gaps.
• After the gap-closure, a time frame is determined by both parties for
• Findings in the report are reevaluated in the verification tests.